sign.cpp
1 // Copyright (c) 2009-2010 Satoshi Nakamoto 2 // Copyright (c) 2009-present The Bitcoin Core developers 3 // Distributed under the MIT software license, see the accompanying 4 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 6 #include <script/sign.h> 7 8 #include <consensus/amount.h> 9 #include <key.h> 10 #include <musig.h> 11 #include <policy/policy.h> 12 #include <primitives/transaction.h> 13 #include <random.h> 14 #include <script/keyorigin.h> 15 #include <script/miniscript.h> 16 #include <script/script.h> 17 #include <script/signingprovider.h> 18 #include <script/solver.h> 19 #include <uint256.h> 20 #include <util/translation.h> 21 #include <util/vector.h> 22 23 typedef std::vector<unsigned char> valtype; 24 25 MutableTransactionSignatureCreator::MutableTransactionSignatureCreator(const CMutableTransaction& tx, unsigned int input_idx, const CAmount& amount, int hash_type) 26 : m_txto{tx}, nIn{input_idx}, nHashType{hash_type}, amount{amount}, checker{&m_txto, nIn, amount, MissingDataBehavior::FAIL}, 27 m_txdata(nullptr) 28 { 29 } 30 31 MutableTransactionSignatureCreator::MutableTransactionSignatureCreator(const CMutableTransaction& tx, unsigned int input_idx, const CAmount& amount, const PrecomputedTransactionData* txdata, int hash_type) 32 : m_txto{tx}, nIn{input_idx}, nHashType{hash_type}, amount{amount}, 33 checker{txdata ? MutableTransactionSignatureChecker{&m_txto, nIn, amount, *txdata, MissingDataBehavior::FAIL} : 34 MutableTransactionSignatureChecker{&m_txto, nIn, amount, MissingDataBehavior::FAIL}}, 35 m_txdata(txdata) 36 { 37 } 38 39 bool MutableTransactionSignatureCreator::CreateSig(const SigningProvider& provider, std::vector<unsigned char>& vchSig, const CKeyID& address, const CScript& scriptCode, SigVersion sigversion) const 40 { 41 assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0); 42 43 CKey key; 44 if (!provider.GetKey(address, key)) 45 return false; 46 47 // Signing with uncompressed keys is disabled in witness scripts 48 if (sigversion == SigVersion::WITNESS_V0 && !key.IsCompressed()) 49 return false; 50 51 // Signing without known amount does not work in witness scripts. 52 if (sigversion == SigVersion::WITNESS_V0 && !MoneyRange(amount)) return false; 53 54 // BASE/WITNESS_V0 signatures don't support explicit SIGHASH_DEFAULT, use SIGHASH_ALL instead. 55 const int hashtype = nHashType == SIGHASH_DEFAULT ? SIGHASH_ALL : nHashType; 56 57 uint256 hash = SignatureHash(scriptCode, m_txto, nIn, hashtype, amount, sigversion, m_txdata); 58 if (!key.Sign(hash, vchSig)) 59 return false; 60 vchSig.push_back((unsigned char)hashtype); 61 return true; 62 } 63 64 std::optional<uint256> MutableTransactionSignatureCreator::ComputeSchnorrSignatureHash(const uint256* leaf_hash, SigVersion sigversion) const 65 { 66 assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT); 67 68 // BIP341/BIP342 signing needs lots of precomputed transaction data. While some 69 // (non-SIGHASH_DEFAULT) sighash modes exist that can work with just some subset 70 // of data present, for now, only support signing when everything is provided. 71 if (!m_txdata || !m_txdata->m_bip341_taproot_ready || !m_txdata->m_spent_outputs_ready) return std::nullopt; 72 73 ScriptExecutionData execdata; 74 execdata.m_annex_init = true; 75 execdata.m_annex_present = false; // Only support annex-less signing for now. 76 if (sigversion == SigVersion::TAPSCRIPT) { 77 execdata.m_codeseparator_pos_init = true; 78 execdata.m_codeseparator_pos = 0xFFFFFFFF; // Only support non-OP_CODESEPARATOR BIP342 signing for now. 79 if (!leaf_hash) return std::nullopt; // BIP342 signing needs leaf hash. 80 execdata.m_tapleaf_hash_init = true; 81 execdata.m_tapleaf_hash = *leaf_hash; 82 } 83 uint256 hash; 84 if (!SignatureHashSchnorr(hash, execdata, m_txto, nIn, nHashType, sigversion, *m_txdata, MissingDataBehavior::FAIL)) return std::nullopt; 85 return hash; 86 } 87 88 bool MutableTransactionSignatureCreator::CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion) const 89 { 90 CKey key; 91 if (!provider.GetKeyByXOnly(pubkey, key)) return false; 92 93 std::optional<uint256> hash = ComputeSchnorrSignatureHash(leaf_hash, sigversion); 94 if (!hash.has_value()) return false; 95 96 sig.resize(64); 97 // Use uint256{} as aux_rnd for now. 98 if (!key.SignSchnorr(*hash, sig, merkle_root, {})) return false; 99 if (nHashType) sig.push_back(nHashType); 100 return true; 101 } 102 103 std::vector<uint8_t> MutableTransactionSignatureCreator::CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const 104 { 105 assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT); 106 107 // Retrieve the private key 108 CKey key; 109 if (!provider.GetKey(part_pubkey.GetID(), key)) return {}; 110 111 // Retrieve participant pubkeys 112 auto it = sigdata.musig2_pubkeys.find(aggregate_pubkey); 113 if (it == sigdata.musig2_pubkeys.end()) return {}; 114 const std::vector<CPubKey>& pubkeys = it->second; 115 if (std::find(pubkeys.begin(), pubkeys.end(), part_pubkey) == pubkeys.end()) return {}; 116 117 // Compute sighash 118 std::optional<uint256> sighash = ComputeSchnorrSignatureHash(leaf_hash, sigversion); 119 if (!sighash.has_value()) return {}; 120 121 MuSig2SecNonce secnonce; 122 std::vector<uint8_t> out = key.CreateMuSig2Nonce(secnonce, *sighash, aggregate_pubkey, pubkeys); 123 if (out.empty()) return {}; 124 125 // Store the secnonce in the SigningProvider 126 provider.SetMuSig2SecNonce(MuSig2SessionID(script_pubkey, part_pubkey, *sighash), std::move(secnonce)); 127 128 return out; 129 } 130 131 bool MutableTransactionSignatureCreator::CreateMuSig2PartialSig(const SigningProvider& provider, uint256& partial_sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const 132 { 133 assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT); 134 135 // Retrieve private key 136 CKey key; 137 if (!provider.GetKey(part_pubkey.GetID(), key)) return false; 138 139 // Retrieve participant pubkeys 140 auto it = sigdata.musig2_pubkeys.find(aggregate_pubkey); 141 if (it == sigdata.musig2_pubkeys.end()) return false; 142 const std::vector<CPubKey>& pubkeys = it->second; 143 if (std::find(pubkeys.begin(), pubkeys.end(), part_pubkey) == pubkeys.end()) return {}; 144 145 // Retrieve pubnonces 146 auto this_leaf_aggkey = std::make_pair(script_pubkey, leaf_hash ? *leaf_hash : uint256()); 147 auto pubnonce_it = sigdata.musig2_pubnonces.find(this_leaf_aggkey); 148 if (pubnonce_it == sigdata.musig2_pubnonces.end()) return false; 149 const std::map<CPubKey, std::vector<uint8_t>>& pubnonces = pubnonce_it->second; 150 151 // Check if enough pubnonces 152 if (pubnonces.size() != pubkeys.size()) return false; 153 154 // Compute sighash 155 std::optional<uint256> sighash = ComputeSchnorrSignatureHash(leaf_hash, sigversion); 156 if (!sighash.has_value()) return false; 157 158 // Retrieve the secnonce 159 uint256 session_id = MuSig2SessionID(script_pubkey, part_pubkey, *sighash); 160 std::optional<std::reference_wrapper<MuSig2SecNonce>> secnonce = provider.GetMuSig2SecNonce(session_id); 161 if (!secnonce || !secnonce->get().IsValid()) return false; 162 163 // Compute the sig 164 std::optional<uint256> sig = key.CreateMuSig2PartialSig(*sighash, aggregate_pubkey, pubkeys, pubnonces, *secnonce, tweaks); 165 if (!sig) return false; 166 partial_sig = std::move(*sig); 167 168 // Delete the secnonce now that we're done with it 169 assert(!secnonce->get().IsValid()); 170 provider.DeleteMuSig2Session(session_id); 171 172 return true; 173 } 174 175 bool MutableTransactionSignatureCreator::CreateMuSig2AggregateSig(const std::vector<CPubKey>& participants, std::vector<uint8_t>& sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const 176 { 177 assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT); 178 if (!participants.size()) return false; 179 180 // Retrieve pubnonces and partial sigs 181 auto this_leaf_aggkey = std::make_pair(script_pubkey, leaf_hash ? *leaf_hash : uint256()); 182 auto pubnonce_it = sigdata.musig2_pubnonces.find(this_leaf_aggkey); 183 if (pubnonce_it == sigdata.musig2_pubnonces.end()) return false; 184 const std::map<CPubKey, std::vector<uint8_t>>& pubnonces = pubnonce_it->second; 185 auto partial_sigs_it = sigdata.musig2_partial_sigs.find(this_leaf_aggkey); 186 if (partial_sigs_it == sigdata.musig2_partial_sigs.end()) return false; 187 const std::map<CPubKey, uint256>& partial_sigs = partial_sigs_it->second; 188 189 // Check if enough pubnonces and partial sigs 190 if (pubnonces.size() != participants.size()) return false; 191 if (partial_sigs.size() != participants.size()) return false; 192 193 // Compute sighash 194 std::optional<uint256> sighash = ComputeSchnorrSignatureHash(leaf_hash, sigversion); 195 if (!sighash.has_value()) return false; 196 197 std::optional<std::vector<uint8_t>> res = ::CreateMuSig2AggregateSig(participants, aggregate_pubkey, tweaks, *sighash, pubnonces, partial_sigs); 198 if (!res) return false; 199 sig = res.value(); 200 if (nHashType) sig.push_back(nHashType); 201 202 return true; 203 } 204 205 static bool GetCScript(const SigningProvider& provider, const SignatureData& sigdata, const CScriptID& scriptid, CScript& script) 206 { 207 if (provider.GetCScript(scriptid, script)) { 208 return true; 209 } 210 // Look for scripts in SignatureData 211 if (CScriptID(sigdata.redeem_script) == scriptid) { 212 script = sigdata.redeem_script; 213 return true; 214 } else if (CScriptID(sigdata.witness_script) == scriptid) { 215 script = sigdata.witness_script; 216 return true; 217 } 218 return false; 219 } 220 221 static bool GetPubKey(const SigningProvider& provider, const SignatureData& sigdata, const CKeyID& address, CPubKey& pubkey) 222 { 223 // Look for pubkey in all partial sigs 224 const auto it = sigdata.signatures.find(address); 225 if (it != sigdata.signatures.end()) { 226 pubkey = it->second.first; 227 return true; 228 } 229 // Look for pubkey in pubkey lists 230 const auto& pk_it = sigdata.misc_pubkeys.find(address); 231 if (pk_it != sigdata.misc_pubkeys.end()) { 232 pubkey = pk_it->second.first; 233 return true; 234 } 235 const auto& tap_pk_it = sigdata.tap_pubkeys.find(address); 236 if (tap_pk_it != sigdata.tap_pubkeys.end()) { 237 pubkey = tap_pk_it->second.GetEvenCorrespondingCPubKey(); 238 return true; 239 } 240 // Query the underlying provider 241 return provider.GetPubKey(address, pubkey); 242 } 243 244 static bool CreateSig(const BaseSignatureCreator& creator, SignatureData& sigdata, const SigningProvider& provider, std::vector<unsigned char>& sig_out, const CPubKey& pubkey, const CScript& scriptcode, SigVersion sigversion) 245 { 246 CKeyID keyid = pubkey.GetID(); 247 const auto it = sigdata.signatures.find(keyid); 248 if (it != sigdata.signatures.end()) { 249 sig_out = it->second.second; 250 return true; 251 } 252 KeyOriginInfo info; 253 if (provider.GetKeyOrigin(keyid, info)) { 254 sigdata.misc_pubkeys.emplace(keyid, std::make_pair(pubkey, std::move(info))); 255 } 256 if (creator.CreateSig(provider, sig_out, keyid, scriptcode, sigversion)) { 257 auto i = sigdata.signatures.emplace(keyid, SigPair(pubkey, sig_out)); 258 assert(i.second); 259 return true; 260 } 261 // Could not make signature or signature not found, add keyid to missing 262 sigdata.missing_sigs.push_back(keyid); 263 return false; 264 } 265 266 static bool SignMuSig2(const BaseSignatureCreator& creator, SignatureData& sigdata, const SigningProvider& provider, std::vector<unsigned char>& sig_out, const XOnlyPubKey& script_pubkey, const uint256* merkle_root, const uint256* leaf_hash, SigVersion sigversion) 267 { 268 Assert(sigversion == SigVersion::TAPROOT || sigversion == SigVersion::TAPSCRIPT); 269 270 // Lookup derivation paths for the script pubkey 271 KeyOriginInfo agg_info; 272 auto misc_pk_it = sigdata.taproot_misc_pubkeys.find(script_pubkey); 273 if (misc_pk_it != sigdata.taproot_misc_pubkeys.end()) { 274 agg_info = misc_pk_it->second.second; 275 } 276 277 for (const auto& [agg_pub, part_pks] : sigdata.musig2_pubkeys) { 278 if (part_pks.empty()) continue; 279 280 // Fill participant derivation path info 281 for (const auto& part_pk : part_pks) { 282 KeyOriginInfo part_info; 283 if (provider.GetKeyOrigin(part_pk.GetID(), part_info)) { 284 XOnlyPubKey xonly_part(part_pk); 285 auto it = sigdata.taproot_misc_pubkeys.find(xonly_part); 286 if (it == sigdata.taproot_misc_pubkeys.end()) { 287 it = sigdata.taproot_misc_pubkeys.emplace(xonly_part, std::make_pair(std::set<uint256>(), part_info)).first; 288 } 289 if (leaf_hash) it->second.first.insert(*leaf_hash); 290 } 291 } 292 293 // The pubkey in the script may not be the actual aggregate of the participants, but derived from it. 294 // Check the derivation, and compute the BIP 32 derivation tweaks 295 std::vector<std::pair<uint256, bool>> tweaks; 296 CPubKey plain_pub = agg_pub; 297 if (XOnlyPubKey(agg_pub) != script_pubkey) { 298 if (agg_info.path.empty()) continue; 299 // Compute and compare fingerprint 300 CKeyID keyid = agg_pub.GetID(); 301 if (!std::equal(agg_info.fingerprint, agg_info.fingerprint + sizeof(agg_info.fingerprint), keyid.data())) { 302 continue; 303 } 304 // Get the BIP32 derivation tweaks 305 CExtPubKey extpub = CreateMuSig2SyntheticXpub(agg_pub); 306 for (const int i : agg_info.path) { 307 auto& [t, xonly] = tweaks.emplace_back(); 308 xonly = false; 309 if (!extpub.Derive(extpub, i, &t)) { 310 return false; 311 } 312 } 313 Assert(XOnlyPubKey(extpub.pubkey) == script_pubkey); 314 plain_pub = extpub.pubkey; 315 } 316 317 // Add the merkle root tweak 318 if (sigversion == SigVersion::TAPROOT && merkle_root) { 319 tweaks.emplace_back(script_pubkey.ComputeTapTweakHash(merkle_root->IsNull() ? nullptr : merkle_root), true); 320 std::optional<std::pair<XOnlyPubKey, bool>> tweaked = script_pubkey.CreateTapTweak(merkle_root->IsNull() ? nullptr : merkle_root); 321 if (!Assume(tweaked)) return false; 322 plain_pub = tweaked->first.GetCPubKeys().at(tweaked->second ? 1 : 0); 323 } 324 325 // First try to aggregate 326 if (creator.CreateMuSig2AggregateSig(part_pks, sig_out, agg_pub, plain_pub, leaf_hash, tweaks, sigversion, sigdata)) { 327 if (sigversion == SigVersion::TAPROOT) { 328 sigdata.taproot_key_path_sig = sig_out; 329 } else { 330 auto lookup_key = std::make_pair(script_pubkey, leaf_hash ? *leaf_hash : uint256()); 331 sigdata.taproot_script_sigs[lookup_key] = sig_out; 332 } 333 continue; 334 } 335 // Cannot aggregate, try making partial sigs for every participant 336 auto pub_key_leaf_hash = std::make_pair(plain_pub, leaf_hash ? *leaf_hash : uint256()); 337 for (const CPubKey& part_pk : part_pks) { 338 uint256 partial_sig; 339 if (creator.CreateMuSig2PartialSig(provider, partial_sig, agg_pub, plain_pub, part_pk, leaf_hash, tweaks, sigversion, sigdata) && Assume(!partial_sig.IsNull())) { 340 sigdata.musig2_partial_sigs[pub_key_leaf_hash].emplace(part_pk, partial_sig); 341 } 342 } 343 // If there are any partial signatures, continue with next aggregate pubkey 344 auto partial_sigs_it = sigdata.musig2_partial_sigs.find(pub_key_leaf_hash); 345 if (partial_sigs_it != sigdata.musig2_partial_sigs.end() && !partial_sigs_it->second.empty()) { 346 continue; 347 } 348 // No partial sigs, try to make pubnonces 349 std::map<CPubKey, std::vector<uint8_t>>& pubnonces = sigdata.musig2_pubnonces[pub_key_leaf_hash]; 350 for (const CPubKey& part_pk : part_pks) { 351 if (pubnonces.contains(part_pk)) continue; 352 std::vector<uint8_t> pubnonce = creator.CreateMuSig2Nonce(provider, agg_pub, plain_pub, part_pk, leaf_hash, merkle_root, sigversion, sigdata); 353 if (pubnonce.empty()) continue; 354 pubnonces[part_pk] = std::move(pubnonce); 355 } 356 } 357 return true; 358 } 359 360 static bool CreateTaprootScriptSig(const BaseSignatureCreator& creator, SignatureData& sigdata, const SigningProvider& provider, std::vector<unsigned char>& sig_out, const XOnlyPubKey& pubkey, const uint256& leaf_hash, SigVersion sigversion) 361 { 362 KeyOriginInfo info; 363 if (provider.GetKeyOriginByXOnly(pubkey, info)) { 364 auto it = sigdata.taproot_misc_pubkeys.find(pubkey); 365 if (it == sigdata.taproot_misc_pubkeys.end()) { 366 sigdata.taproot_misc_pubkeys.emplace(pubkey, std::make_pair(std::set<uint256>({leaf_hash}), info)); 367 } else { 368 it->second.first.insert(leaf_hash); 369 } 370 } 371 372 auto lookup_key = std::make_pair(pubkey, leaf_hash); 373 auto it = sigdata.taproot_script_sigs.find(lookup_key); 374 if (it != sigdata.taproot_script_sigs.end()) { 375 sig_out = it->second; 376 return true; 377 } 378 379 if (creator.CreateSchnorrSig(provider, sig_out, pubkey, &leaf_hash, nullptr, sigversion)) { 380 sigdata.taproot_script_sigs[lookup_key] = sig_out; 381 } else if (!SignMuSig2(creator, sigdata, provider, sig_out, pubkey, /*merkle_root=*/nullptr, &leaf_hash, sigversion)) { 382 return false; 383 } 384 385 return sigdata.taproot_script_sigs.contains(lookup_key); 386 } 387 388 template<typename M, typename K, typename V> 389 miniscript::Availability MsLookupHelper(const M& map, const K& key, V& value) 390 { 391 auto it = map.find(key); 392 if (it != map.end()) { 393 value = it->second; 394 return miniscript::Availability::YES; 395 } 396 return miniscript::Availability::NO; 397 } 398 399 /** 400 * Context for solving a Miniscript. 401 * If enough material (access to keys, hash preimages, ..) is given, produces a valid satisfaction. 402 */ 403 template<typename Pk> 404 struct Satisfier { 405 using Key = Pk; 406 407 const SigningProvider& m_provider; 408 SignatureData& m_sig_data; 409 const BaseSignatureCreator& m_creator; 410 const CScript& m_witness_script; 411 //! The context of the script we are satisfying (either P2WSH or Tapscript). 412 const miniscript::MiniscriptContext m_script_ctx; 413 414 explicit Satisfier(const SigningProvider& provider LIFETIMEBOUND, SignatureData& sig_data LIFETIMEBOUND, 415 const BaseSignatureCreator& creator LIFETIMEBOUND, 416 const CScript& witscript LIFETIMEBOUND, 417 miniscript::MiniscriptContext script_ctx) : m_provider(provider), 418 m_sig_data(sig_data), 419 m_creator(creator), 420 m_witness_script(witscript), 421 m_script_ctx(script_ctx) {} 422 423 static bool KeyCompare(const Key& a, const Key& b) { 424 return a < b; 425 } 426 427 //! Get a CPubKey from a key hash. Note the key hash may be of an xonly pubkey. 428 template<typename I> 429 std::optional<CPubKey> CPubFromPKHBytes(I first, I last) const { 430 assert(last - first == 20); 431 CPubKey pubkey; 432 CKeyID key_id; 433 std::copy(first, last, key_id.begin()); 434 if (GetPubKey(m_provider, m_sig_data, key_id, pubkey)) return pubkey; 435 m_sig_data.missing_pubkeys.push_back(key_id); 436 return {}; 437 } 438 439 //! Conversion to raw public key. 440 std::vector<unsigned char> ToPKBytes(const Key& key) const { return {key.begin(), key.end()}; } 441 442 //! Time lock satisfactions. 443 bool CheckAfter(uint32_t value) const { return m_creator.Checker().CheckLockTime(CScriptNum(value)); } 444 bool CheckOlder(uint32_t value) const { return m_creator.Checker().CheckSequence(CScriptNum(value)); } 445 446 //! Hash preimage satisfactions. 447 miniscript::Availability SatSHA256(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage) const { 448 return MsLookupHelper(m_sig_data.sha256_preimages, hash, preimage); 449 } 450 miniscript::Availability SatRIPEMD160(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage) const { 451 return MsLookupHelper(m_sig_data.ripemd160_preimages, hash, preimage); 452 } 453 miniscript::Availability SatHASH256(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage) const { 454 return MsLookupHelper(m_sig_data.hash256_preimages, hash, preimage); 455 } 456 miniscript::Availability SatHASH160(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage) const { 457 return MsLookupHelper(m_sig_data.hash160_preimages, hash, preimage); 458 } 459 460 miniscript::MiniscriptContext MsContext() const { 461 return m_script_ctx; 462 } 463 }; 464 465 /** Miniscript satisfier specific to P2WSH context. */ 466 struct WshSatisfier: Satisfier<CPubKey> { 467 explicit WshSatisfier(const SigningProvider& provider LIFETIMEBOUND, SignatureData& sig_data LIFETIMEBOUND, 468 const BaseSignatureCreator& creator LIFETIMEBOUND, const CScript& witscript LIFETIMEBOUND) 469 : Satisfier(provider, sig_data, creator, witscript, miniscript::MiniscriptContext::P2WSH) {} 470 471 //! Conversion from a raw compressed public key. 472 template <typename I> 473 std::optional<CPubKey> FromPKBytes(I first, I last) const { 474 CPubKey pubkey{first, last}; 475 if (pubkey.IsValid()) return pubkey; 476 return {}; 477 } 478 479 //! Conversion from a raw compressed public key hash. 480 template<typename I> 481 std::optional<CPubKey> FromPKHBytes(I first, I last) const { 482 return Satisfier::CPubFromPKHBytes(first, last); 483 } 484 485 //! Satisfy an ECDSA signature check. 486 miniscript::Availability Sign(const CPubKey& key, std::vector<unsigned char>& sig) const { 487 if (CreateSig(m_creator, m_sig_data, m_provider, sig, key, m_witness_script, SigVersion::WITNESS_V0)) { 488 return miniscript::Availability::YES; 489 } 490 return miniscript::Availability::NO; 491 } 492 }; 493 494 /** Miniscript satisfier specific to Tapscript context. */ 495 struct TapSatisfier: Satisfier<XOnlyPubKey> { 496 const uint256& m_leaf_hash; 497 498 explicit TapSatisfier(const SigningProvider& provider LIFETIMEBOUND, SignatureData& sig_data LIFETIMEBOUND, 499 const BaseSignatureCreator& creator LIFETIMEBOUND, const CScript& script LIFETIMEBOUND, 500 const uint256& leaf_hash LIFETIMEBOUND) 501 : Satisfier(provider, sig_data, creator, script, miniscript::MiniscriptContext::TAPSCRIPT), 502 m_leaf_hash(leaf_hash) {} 503 504 //! Conversion from a raw xonly public key. 505 template <typename I> 506 std::optional<XOnlyPubKey> FromPKBytes(I first, I last) const { 507 if (last - first != 32) return {}; 508 XOnlyPubKey pubkey; 509 std::copy(first, last, pubkey.begin()); 510 return pubkey; 511 } 512 513 //! Conversion from a raw xonly public key hash. 514 template<typename I> 515 std::optional<XOnlyPubKey> FromPKHBytes(I first, I last) const { 516 if (auto pubkey = Satisfier::CPubFromPKHBytes(first, last)) return XOnlyPubKey{*pubkey}; 517 return {}; 518 } 519 520 //! Satisfy a BIP340 signature check. 521 miniscript::Availability Sign(const XOnlyPubKey& key, std::vector<unsigned char>& sig) const { 522 if (CreateTaprootScriptSig(m_creator, m_sig_data, m_provider, sig, key, m_leaf_hash, SigVersion::TAPSCRIPT)) { 523 return miniscript::Availability::YES; 524 } 525 return miniscript::Availability::NO; 526 } 527 }; 528 529 static bool SignTaprootScript(const SigningProvider& provider, const BaseSignatureCreator& creator, SignatureData& sigdata, int leaf_version, std::span<const unsigned char> script_bytes, std::vector<valtype>& result) 530 { 531 // Only BIP342 tapscript signing is supported for now. 532 if (leaf_version != TAPROOT_LEAF_TAPSCRIPT) return false; 533 534 uint256 leaf_hash = ComputeTapleafHash(leaf_version, script_bytes); 535 CScript script = CScript(script_bytes.begin(), script_bytes.end()); 536 537 TapSatisfier ms_satisfier{provider, sigdata, creator, script, leaf_hash}; 538 const auto ms = miniscript::FromScript(script, ms_satisfier); 539 return ms && ms->Satisfy(ms_satisfier, result) == miniscript::Availability::YES; 540 } 541 542 static bool SignTaproot(const SigningProvider& provider, const BaseSignatureCreator& creator, const WitnessV1Taproot& output, SignatureData& sigdata, std::vector<valtype>& result) 543 { 544 TaprootSpendData spenddata; 545 TaprootBuilder builder; 546 547 // Gather information about this output. 548 if (provider.GetTaprootSpendData(output, spenddata)) { 549 sigdata.tr_spenddata.Merge(spenddata); 550 } 551 if (provider.GetTaprootBuilder(output, builder)) { 552 sigdata.tr_builder = builder; 553 } 554 if (auto agg_keys = provider.GetAllMuSig2ParticipantPubkeys(); !agg_keys.empty()) { 555 sigdata.musig2_pubkeys.insert(agg_keys.begin(), agg_keys.end()); 556 } 557 558 559 // Try key path spending. 560 { 561 KeyOriginInfo internal_key_info; 562 if (provider.GetKeyOriginByXOnly(sigdata.tr_spenddata.internal_key, internal_key_info)) { 563 auto it = sigdata.taproot_misc_pubkeys.find(sigdata.tr_spenddata.internal_key); 564 if (it == sigdata.taproot_misc_pubkeys.end()) { 565 sigdata.taproot_misc_pubkeys.emplace(sigdata.tr_spenddata.internal_key, std::make_pair(std::set<uint256>(), internal_key_info)); 566 } 567 } 568 569 KeyOriginInfo output_key_info; 570 if (provider.GetKeyOriginByXOnly(output, output_key_info)) { 571 auto it = sigdata.taproot_misc_pubkeys.find(output); 572 if (it == sigdata.taproot_misc_pubkeys.end()) { 573 sigdata.taproot_misc_pubkeys.emplace(output, std::make_pair(std::set<uint256>(), output_key_info)); 574 } 575 } 576 577 auto make_keypath_sig = [&](const XOnlyPubKey& pk, const uint256* merkle_root) { 578 std::vector<unsigned char> sig; 579 if (creator.CreateSchnorrSig(provider, sig, pk, nullptr, merkle_root, SigVersion::TAPROOT)) { 580 sigdata.taproot_key_path_sig = sig; 581 } else { 582 SignMuSig2(creator, sigdata, provider, sig, pk, merkle_root, /*leaf_hash=*/nullptr, SigVersion::TAPROOT); 583 } 584 }; 585 586 // First try signing with internal key 587 if (sigdata.taproot_key_path_sig.size() == 0) { 588 make_keypath_sig(sigdata.tr_spenddata.internal_key, &sigdata.tr_spenddata.merkle_root); 589 } 590 // Try signing with output key if still no signature 591 if (sigdata.taproot_key_path_sig.size() == 0) { 592 make_keypath_sig(output, nullptr); 593 } 594 if (sigdata.taproot_key_path_sig.size()) { 595 result = Vector(sigdata.taproot_key_path_sig); 596 return true; 597 } 598 } 599 600 // Try script path spending. 601 std::vector<std::vector<unsigned char>> smallest_result_stack; 602 for (const auto& [key, control_blocks] : sigdata.tr_spenddata.scripts) { 603 const auto& [script, leaf_ver] = key; 604 std::vector<std::vector<unsigned char>> result_stack; 605 if (SignTaprootScript(provider, creator, sigdata, leaf_ver, script, result_stack)) { 606 result_stack.emplace_back(std::begin(script), std::end(script)); // Push the script 607 result_stack.push_back(*control_blocks.begin()); // Push the smallest control block 608 if (smallest_result_stack.size() == 0 || 609 GetSerializeSize(result_stack) < GetSerializeSize(smallest_result_stack)) { 610 smallest_result_stack = std::move(result_stack); 611 } 612 } 613 } 614 if (smallest_result_stack.size() != 0) { 615 result = std::move(smallest_result_stack); 616 return true; 617 } 618 619 return false; 620 } 621 622 /** 623 * Sign scriptPubKey using signature made with creator. 624 * Signatures are returned in scriptSigRet (or returns false if scriptPubKey can't be signed), 625 * unless whichTypeRet is TxoutType::SCRIPTHASH, in which case scriptSigRet is the redemption script. 626 * Returns false if scriptPubKey could not be completely satisfied. 627 */ 628 static bool SignStep(const SigningProvider& provider, const BaseSignatureCreator& creator, const CScript& scriptPubKey, 629 std::vector<valtype>& ret, TxoutType& whichTypeRet, SigVersion sigversion, SignatureData& sigdata) 630 { 631 CScript scriptRet; 632 ret.clear(); 633 std::vector<unsigned char> sig; 634 635 std::vector<valtype> vSolutions; 636 whichTypeRet = Solver(scriptPubKey, vSolutions); 637 638 switch (whichTypeRet) { 639 case TxoutType::NONSTANDARD: 640 case TxoutType::NULL_DATA: 641 case TxoutType::WITNESS_UNKNOWN: 642 return false; 643 case TxoutType::PUBKEY: 644 if (!CreateSig(creator, sigdata, provider, sig, CPubKey(vSolutions[0]), scriptPubKey, sigversion)) return false; 645 ret.push_back(std::move(sig)); 646 return true; 647 case TxoutType::PUBKEYHASH: { 648 CKeyID keyID = CKeyID(uint160(vSolutions[0])); 649 CPubKey pubkey; 650 if (!GetPubKey(provider, sigdata, keyID, pubkey)) { 651 // Pubkey could not be found, add to missing 652 sigdata.missing_pubkeys.push_back(keyID); 653 return false; 654 } 655 if (!CreateSig(creator, sigdata, provider, sig, pubkey, scriptPubKey, sigversion)) return false; 656 ret.push_back(std::move(sig)); 657 ret.push_back(ToByteVector(pubkey)); 658 return true; 659 } 660 case TxoutType::SCRIPTHASH: { 661 uint160 h160{vSolutions[0]}; 662 if (GetCScript(provider, sigdata, CScriptID{h160}, scriptRet)) { 663 ret.emplace_back(scriptRet.begin(), scriptRet.end()); 664 return true; 665 } 666 // Could not find redeemScript, add to missing 667 sigdata.missing_redeem_script = h160; 668 return false; 669 } 670 case TxoutType::MULTISIG: { 671 size_t required = vSolutions.front()[0]; 672 ret.emplace_back(); // workaround CHECKMULTISIG bug 673 for (size_t i = 1; i < vSolutions.size() - 1; ++i) { 674 CPubKey pubkey = CPubKey(vSolutions[i]); 675 // We need to always call CreateSig in order to fill sigdata with all 676 // possible signatures that we can create. This will allow further PSBT 677 // processing to work as it needs all possible signature and pubkey pairs 678 if (CreateSig(creator, sigdata, provider, sig, pubkey, scriptPubKey, sigversion)) { 679 if (ret.size() < required + 1) { 680 ret.push_back(std::move(sig)); 681 } 682 } 683 } 684 bool ok = ret.size() == required + 1; 685 for (size_t i = 0; i + ret.size() < required + 1; ++i) { 686 ret.emplace_back(); 687 } 688 return ok; 689 } 690 case TxoutType::WITNESS_V0_KEYHASH: 691 ret.push_back(vSolutions[0]); 692 return true; 693 694 case TxoutType::WITNESS_V0_SCRIPTHASH: 695 if (GetCScript(provider, sigdata, CScriptID{RIPEMD160(vSolutions[0])}, scriptRet)) { 696 ret.emplace_back(scriptRet.begin(), scriptRet.end()); 697 return true; 698 } 699 // Could not find witnessScript, add to missing 700 sigdata.missing_witness_script = uint256(vSolutions[0]); 701 return false; 702 703 case TxoutType::WITNESS_V1_TAPROOT: 704 return SignTaproot(provider, creator, WitnessV1Taproot(XOnlyPubKey{vSolutions[0]}), sigdata, ret); 705 706 case TxoutType::ANCHOR: 707 return true; 708 } // no default case, so the compiler can warn about missing cases 709 assert(false); 710 } 711 712 static CScript PushAll(const std::vector<valtype>& values) 713 { 714 CScript result; 715 for (const valtype& v : values) { 716 if (v.size() == 0) { 717 result << OP_0; 718 } else if (v.size() == 1 && v[0] >= 1 && v[0] <= 16) { 719 result << CScript::EncodeOP_N(v[0]); 720 } else if (v.size() == 1 && v[0] == 0x81) { 721 result << OP_1NEGATE; 722 } else { 723 result << v; 724 } 725 } 726 return result; 727 } 728 729 bool ProduceSignature(const SigningProvider& provider, const BaseSignatureCreator& creator, const CScript& fromPubKey, SignatureData& sigdata) 730 { 731 if (sigdata.complete) return true; 732 733 std::vector<valtype> result; 734 TxoutType whichType; 735 bool solved = SignStep(provider, creator, fromPubKey, result, whichType, SigVersion::BASE, sigdata); 736 bool P2SH = false; 737 CScript subscript; 738 739 if (solved && whichType == TxoutType::SCRIPTHASH) 740 { 741 // Solver returns the subscript that needs to be evaluated; 742 // the final scriptSig is the signatures from that 743 // and then the serialized subscript: 744 subscript = CScript(result[0].begin(), result[0].end()); 745 sigdata.redeem_script = subscript; 746 solved = solved && SignStep(provider, creator, subscript, result, whichType, SigVersion::BASE, sigdata) && whichType != TxoutType::SCRIPTHASH; 747 P2SH = true; 748 } 749 750 if (solved && whichType == TxoutType::WITNESS_V0_KEYHASH) 751 { 752 CScript witnessscript; 753 witnessscript << OP_DUP << OP_HASH160 << ToByteVector(result[0]) << OP_EQUALVERIFY << OP_CHECKSIG; 754 TxoutType subType; 755 solved = solved && SignStep(provider, creator, witnessscript, result, subType, SigVersion::WITNESS_V0, sigdata); 756 sigdata.scriptWitness.stack = result; 757 sigdata.witness = true; 758 result.clear(); 759 } 760 else if (solved && whichType == TxoutType::WITNESS_V0_SCRIPTHASH) 761 { 762 CScript witnessscript(result[0].begin(), result[0].end()); 763 sigdata.witness_script = witnessscript; 764 765 TxoutType subType{TxoutType::NONSTANDARD}; 766 solved = solved && SignStep(provider, creator, witnessscript, result, subType, SigVersion::WITNESS_V0, sigdata) && subType != TxoutType::SCRIPTHASH && subType != TxoutType::WITNESS_V0_SCRIPTHASH && subType != TxoutType::WITNESS_V0_KEYHASH; 767 768 // If we couldn't find a solution with the legacy satisfier, try satisfying the script using Miniscript. 769 // Note we need to check if the result stack is empty before, because it might be used even if the Script 770 // isn't fully solved. For instance the CHECKMULTISIG satisfaction in SignStep() pushes partial signatures 771 // and the extractor relies on this behaviour to combine witnesses. 772 if (!solved && result.empty()) { 773 WshSatisfier ms_satisfier{provider, sigdata, creator, witnessscript}; 774 const auto ms = miniscript::FromScript(witnessscript, ms_satisfier); 775 solved = ms && ms->Satisfy(ms_satisfier, result) == miniscript::Availability::YES; 776 } 777 result.emplace_back(witnessscript.begin(), witnessscript.end()); 778 779 sigdata.scriptWitness.stack = result; 780 sigdata.witness = true; 781 result.clear(); 782 } else if (whichType == TxoutType::WITNESS_V1_TAPROOT && !P2SH) { 783 sigdata.witness = true; 784 if (solved) { 785 sigdata.scriptWitness.stack = std::move(result); 786 } 787 result.clear(); 788 } else if (solved && whichType == TxoutType::WITNESS_UNKNOWN) { 789 sigdata.witness = true; 790 } 791 792 if (!sigdata.witness) sigdata.scriptWitness.stack.clear(); 793 if (P2SH) { 794 result.emplace_back(subscript.begin(), subscript.end()); 795 } 796 sigdata.scriptSig = PushAll(result); 797 798 // Test solution 799 sigdata.complete = solved && VerifyScript(sigdata.scriptSig, fromPubKey, &sigdata.scriptWitness, STANDARD_SCRIPT_VERIFY_FLAGS, creator.Checker()); 800 return sigdata.complete; 801 } 802 803 namespace { 804 class SignatureExtractorChecker final : public DeferringSignatureChecker 805 { 806 private: 807 SignatureData& sigdata; 808 809 public: 810 SignatureExtractorChecker(SignatureData& sigdata, BaseSignatureChecker& checker) : DeferringSignatureChecker(checker), sigdata(sigdata) {} 811 812 bool CheckECDSASignature(const std::vector<unsigned char>& scriptSig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const override 813 { 814 if (m_checker.CheckECDSASignature(scriptSig, vchPubKey, scriptCode, sigversion)) { 815 CPubKey pubkey(vchPubKey); 816 sigdata.signatures.emplace(pubkey.GetID(), SigPair(pubkey, scriptSig)); 817 return true; 818 } 819 return false; 820 } 821 }; 822 823 struct Stacks 824 { 825 std::vector<valtype> script; 826 std::vector<valtype> witness; 827 828 Stacks() = delete; 829 Stacks(const Stacks&) = delete; 830 explicit Stacks(const SignatureData& data) : witness(data.scriptWitness.stack) { 831 EvalScript(script, data.scriptSig, SCRIPT_VERIFY_STRICTENC, BaseSignatureChecker(), SigVersion::BASE); 832 } 833 }; 834 } 835 836 // Extracts signatures and scripts from incomplete scriptSigs. Please do not extend this, use PSBT instead 837 SignatureData DataFromTransaction(const CMutableTransaction& tx, unsigned int nIn, const CTxOut& txout) 838 { 839 SignatureData data; 840 assert(tx.vin.size() > nIn); 841 data.scriptSig = tx.vin[nIn].scriptSig; 842 data.scriptWitness = tx.vin[nIn].scriptWitness; 843 Stacks stack(data); 844 845 // Get signatures 846 MutableTransactionSignatureChecker tx_checker(&tx, nIn, txout.nValue, MissingDataBehavior::FAIL); 847 SignatureExtractorChecker extractor_checker(data, tx_checker); 848 if (VerifyScript(data.scriptSig, txout.scriptPubKey, &data.scriptWitness, STANDARD_SCRIPT_VERIFY_FLAGS, extractor_checker)) { 849 data.complete = true; 850 return data; 851 } 852 853 // Get scripts 854 std::vector<std::vector<unsigned char>> solutions; 855 TxoutType script_type = Solver(txout.scriptPubKey, solutions); 856 SigVersion sigversion = SigVersion::BASE; 857 CScript next_script = txout.scriptPubKey; 858 859 if (script_type == TxoutType::SCRIPTHASH && !stack.script.empty() && !stack.script.back().empty()) { 860 // Get the redeemScript 861 CScript redeem_script(stack.script.back().begin(), stack.script.back().end()); 862 data.redeem_script = redeem_script; 863 next_script = std::move(redeem_script); 864 865 // Get redeemScript type 866 script_type = Solver(next_script, solutions); 867 stack.script.pop_back(); 868 } 869 if (script_type == TxoutType::WITNESS_V0_SCRIPTHASH && !stack.witness.empty() && !stack.witness.back().empty()) { 870 // Get the witnessScript 871 CScript witness_script(stack.witness.back().begin(), stack.witness.back().end()); 872 data.witness_script = witness_script; 873 next_script = std::move(witness_script); 874 875 // Get witnessScript type 876 script_type = Solver(next_script, solutions); 877 stack.witness.pop_back(); 878 stack.script = std::move(stack.witness); 879 stack.witness.clear(); 880 sigversion = SigVersion::WITNESS_V0; 881 } 882 if (script_type == TxoutType::MULTISIG && !stack.script.empty()) { 883 // Build a map of pubkey -> signature by matching sigs to pubkeys: 884 assert(solutions.size() > 1); 885 unsigned int num_pubkeys = solutions.size()-2; 886 unsigned int last_success_key = 0; 887 for (const valtype& sig : stack.script) { 888 for (unsigned int i = last_success_key; i < num_pubkeys; ++i) { 889 const valtype& pubkey = solutions[i+1]; 890 // We either have a signature for this pubkey, or we have found a signature and it is valid 891 if (data.signatures.contains(CPubKey(pubkey).GetID()) || extractor_checker.CheckECDSASignature(sig, pubkey, next_script, sigversion)) { 892 last_success_key = i + 1; 893 break; 894 } 895 } 896 } 897 } 898 899 return data; 900 } 901 902 void UpdateInput(CTxIn& input, const SignatureData& data) 903 { 904 input.scriptSig = data.scriptSig; 905 input.scriptWitness = data.scriptWitness; 906 } 907 908 void SignatureData::MergeSignatureData(SignatureData sigdata) 909 { 910 if (complete) return; 911 if (sigdata.complete) { 912 *this = std::move(sigdata); 913 return; 914 } 915 if (redeem_script.empty() && !sigdata.redeem_script.empty()) { 916 redeem_script = sigdata.redeem_script; 917 } 918 if (witness_script.empty() && !sigdata.witness_script.empty()) { 919 witness_script = sigdata.witness_script; 920 } 921 signatures.insert(std::make_move_iterator(sigdata.signatures.begin()), std::make_move_iterator(sigdata.signatures.end())); 922 } 923 924 namespace { 925 /** Dummy signature checker which accepts all signatures. */ 926 class DummySignatureChecker final : public BaseSignatureChecker 927 { 928 public: 929 DummySignatureChecker() = default; 930 bool CheckECDSASignature(const std::vector<unsigned char>& sig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const override { return sig.size() != 0; } 931 bool CheckSchnorrSignature(std::span<const unsigned char> sig, std::span<const unsigned char> pubkey, SigVersion sigversion, ScriptExecutionData& execdata, ScriptError* serror) const override { return sig.size() != 0; } 932 bool CheckLockTime(const CScriptNum& nLockTime) const override { return true; } 933 bool CheckSequence(const CScriptNum& nSequence) const override { return true; } 934 }; 935 } 936 937 const BaseSignatureChecker& DUMMY_CHECKER = DummySignatureChecker(); 938 939 namespace { 940 class DummySignatureCreator final : public BaseSignatureCreator { 941 private: 942 char m_r_len = 32; 943 char m_s_len = 32; 944 public: 945 DummySignatureCreator(char r_len, char s_len) : m_r_len(r_len), m_s_len(s_len) {} 946 const BaseSignatureChecker& Checker() const override { return DUMMY_CHECKER; } 947 bool CreateSig(const SigningProvider& provider, std::vector<unsigned char>& vchSig, const CKeyID& keyid, const CScript& scriptCode, SigVersion sigversion) const override 948 { 949 // Create a dummy signature that is a valid DER-encoding 950 vchSig.assign(m_r_len + m_s_len + 7, '\000'); 951 vchSig[0] = 0x30; 952 vchSig[1] = m_r_len + m_s_len + 4; 953 vchSig[2] = 0x02; 954 vchSig[3] = m_r_len; 955 vchSig[4] = 0x01; 956 vchSig[4 + m_r_len] = 0x02; 957 vchSig[5 + m_r_len] = m_s_len; 958 vchSig[6 + m_r_len] = 0x01; 959 vchSig[6 + m_r_len + m_s_len] = SIGHASH_ALL; 960 return true; 961 } 962 bool CreateSchnorrSig(const SigningProvider& provider, std::vector<unsigned char>& sig, const XOnlyPubKey& pubkey, const uint256* leaf_hash, const uint256* tweak, SigVersion sigversion) const override 963 { 964 sig.assign(64, '\000'); 965 return true; 966 } 967 std::vector<uint8_t> CreateMuSig2Nonce(const SigningProvider& provider, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const uint256* merkle_root, SigVersion sigversion, const SignatureData& sigdata) const override 968 { 969 std::vector<uint8_t> out; 970 out.assign(MUSIG2_PUBNONCE_SIZE, '\000'); 971 return out; 972 } 973 bool CreateMuSig2PartialSig(const SigningProvider& provider, uint256& partial_sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const CPubKey& part_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const override 974 { 975 partial_sig = uint256::ONE; 976 return true; 977 } 978 bool CreateMuSig2AggregateSig(const std::vector<CPubKey>& participants, std::vector<uint8_t>& sig, const CPubKey& aggregate_pubkey, const CPubKey& script_pubkey, const uint256* leaf_hash, const std::vector<std::pair<uint256, bool>>& tweaks, SigVersion sigversion, const SignatureData& sigdata) const override 979 { 980 sig.assign(64, '\000'); 981 return true; 982 } 983 }; 984 985 } 986 987 const BaseSignatureCreator& DUMMY_SIGNATURE_CREATOR = DummySignatureCreator(32, 32); 988 const BaseSignatureCreator& DUMMY_MAXIMUM_SIGNATURE_CREATOR = DummySignatureCreator(33, 32); 989 990 bool IsSegWitOutput(const SigningProvider& provider, const CScript& script) 991 { 992 int version; 993 valtype program; 994 if (script.IsWitnessProgram(version, program)) return true; 995 if (script.IsPayToScriptHash()) { 996 std::vector<valtype> solutions; 997 auto whichtype = Solver(script, solutions); 998 if (whichtype == TxoutType::SCRIPTHASH) { 999 auto h160 = uint160(solutions[0]); 1000 CScript subscript; 1001 if (provider.GetCScript(CScriptID{h160}, subscript)) { 1002 if (subscript.IsWitnessProgram(version, program)) return true; 1003 } 1004 } 1005 } 1006 return false; 1007 } 1008 1009 bool SignTransaction(CMutableTransaction& mtx, const SigningProvider* keystore, const std::map<COutPoint, Coin>& coins, int nHashType, std::map<int, bilingual_str>& input_errors) 1010 { 1011 bool fHashSingle = ((nHashType & ~SIGHASH_ANYONECANPAY) == SIGHASH_SINGLE); 1012 1013 // Use CTransaction for the constant parts of the 1014 // transaction to avoid rehashing. 1015 const CTransaction txConst(mtx); 1016 1017 PrecomputedTransactionData txdata; 1018 std::vector<CTxOut> spent_outputs; 1019 for (unsigned int i = 0; i < mtx.vin.size(); ++i) { 1020 CTxIn& txin = mtx.vin[i]; 1021 auto coin = coins.find(txin.prevout); 1022 if (coin == coins.end() || coin->second.IsSpent()) { 1023 txdata.Init(txConst, /*spent_outputs=*/{}, /*force=*/true); 1024 break; 1025 } else { 1026 spent_outputs.emplace_back(coin->second.out.nValue, coin->second.out.scriptPubKey); 1027 } 1028 } 1029 if (spent_outputs.size() == mtx.vin.size()) { 1030 txdata.Init(txConst, std::move(spent_outputs), true); 1031 } 1032 1033 // Sign what we can: 1034 for (unsigned int i = 0; i < mtx.vin.size(); ++i) { 1035 CTxIn& txin = mtx.vin[i]; 1036 auto coin = coins.find(txin.prevout); 1037 if (coin == coins.end() || coin->second.IsSpent()) { 1038 input_errors[i] = _("Input not found or already spent"); 1039 continue; 1040 } 1041 const CScript& prevPubKey = coin->second.out.scriptPubKey; 1042 const CAmount& amount = coin->second.out.nValue; 1043 1044 SignatureData sigdata = DataFromTransaction(mtx, i, coin->second.out); 1045 // Only sign SIGHASH_SINGLE if there's a corresponding output: 1046 if (!fHashSingle || (i < mtx.vout.size())) { 1047 ProduceSignature(*keystore, MutableTransactionSignatureCreator(mtx, i, amount, &txdata, nHashType), prevPubKey, sigdata); 1048 } 1049 1050 UpdateInput(txin, sigdata); 1051 1052 // amount must be specified for valid segwit signature 1053 if (amount == MAX_MONEY && !txin.scriptWitness.IsNull()) { 1054 input_errors[i] = _("Missing amount"); 1055 continue; 1056 } 1057 1058 ScriptError serror = SCRIPT_ERR_OK; 1059 if (!sigdata.complete && !VerifyScript(txin.scriptSig, prevPubKey, &txin.scriptWitness, STANDARD_SCRIPT_VERIFY_FLAGS, TransactionSignatureChecker(&txConst, i, amount, txdata, MissingDataBehavior::FAIL), &serror)) { 1060 if (serror == SCRIPT_ERR_INVALID_STACK_OPERATION) { 1061 // Unable to sign input and verification failed (possible attempt to partially sign). 1062 input_errors[i] = Untranslated("Unable to sign input, invalid stack size (possibly missing key)"); 1063 } else if (serror == SCRIPT_ERR_SIG_NULLFAIL) { 1064 // Verification failed (possibly due to insufficient signatures). 1065 input_errors[i] = Untranslated("CHECK(MULTI)SIG failing with non-zero signature (possibly need more signatures)"); 1066 } else { 1067 input_errors[i] = Untranslated(ScriptErrorString(serror)); 1068 } 1069 } else { 1070 // If this input succeeds, make sure there is no error set for it 1071 input_errors.erase(i); 1072 } 1073 } 1074 return input_errors.empty(); 1075 }